Steam API improvements (Certificate verification)

[yani]

This will:

• Verify the steam_api.dll certificate using the Windows API (protect against malware)
• Allow loading the DLL under Wine (in a very rare cases the user might have Steam running under Wine too)
• Make steam_api_init() a void function

[SimLV]

I am not sure what problem which this PR solves is exist at all.
Consider user wants to install fake steam_api.dll into KFX installation so what?

[yani]

I am not sure what problem which this PR solves is exist at all. Consider user wants to install fake steam_api.dll into KFX installation so what?

Maybe a command line flag to disable the check would be better.

Normally you can not edit the DLLs of the application without admin rights (since Windows Vista), but because using the Steam API requires you to download and place a DLL, we can protect users against malicious DLLs from shady sources. Just google "steam_api.dll" and you will see a lot of download links. Who knows if all of those are safe.

[SimLV]

Okay. I am a bit concerned about bloating dependencies but ok

[yani]

Okay. I am a bit concerned about bloating dependencies but ok

It's the Windows API so I think that's not too much of a problem.

Binary file size change is also minimal: 9866KiB -> 9868KiB. That's a 0.02% increase.

[yani]

Should I add a command line option to not verify the certificate?

[SimLV]

Yes. Better to add it. I think you don't have to support it in your Qt Launcher. (I hope you have place for "other options" there)

[yani]

I added the -nocertverify command line parameter and separated the certification verification code into its own source files.

[xtremeqg]

Like @SimLV I don't see the point of checking whether the DLL is real or not. No game I know of does that.

Normally you can not edit the DLLs of the application without admin rights (since Windows Vista) ...

Depends on where and how the application is installed. Regardless, for compatibility reasons Windows will always load any DLL with the same name from the game folder first.

... Steam API requires you to download and place a DLL ...

All the games I know either ship with with a copy of this DLL and/or load the system one.

... we can protect users against malicious DLLs from shady sources. Just google "steam_api.dll" and you will see a lot of download links.

The same holds true for all other existing and non-existing DLLs. If this is the only reason for performing the validation, I'd just provide the DLL along with KFX.

I did have concerns as far as certificate expiration goes (I hate time bombs) but as long as WTD_LIFETIME_SIGNING_FLAG isn't set, expiration appears to be ignored.

[yani]

No game I know of does that.

Depends on where and how the application is installed. Regardless, for compatibility reasons Windows will always load any DLL with the same name from the game folder first.

All the games I know either ship with with a copy of this DLL and/or load the system one.

We can not ship the official DLL ourselves because we are not an official mod on Steam. So people have to add their own one. I thought it would be good to protect users who do this.

I did have concerns as far as certificate expiration goes (I hate time bombs) but as long as WTD_LIFETIME_SIGNING_FLAG isn't set, expiration appears to be ignored.

Are you sure it's ignored? I think it's just handled by Windows and its root certificate store.